Hi list,
I have samba-3.0.2-2 rpm installed on Redhat Enterprise Linux 3 AS kernel version.
I've been using the Samba 3 How-To and messages on various mailing lists to join
Samba to an AD domain and authenticate using winbind/pam.
So far Samba has successfully become a member of the AD domain and can browse file
servers using smbclient but I haven't been able to get winbind working - specifically
wbinfo -u, wbinfo -g and wbinfo -t return errors.
Below is a dump of the install/configuration process so far and the relevant config
files.
Any help on this is much appreciated as I've spent 3 days trying to get it to work and
it refuses to for love nor money!
# rpm -ivh samba*.rpm
#rpm -q samba
samba-3.0.2.2
#rpm -qa | grep openldap
openldap-2.0.27-11
openldap-devel-2.0.27-11
openldap-clients-2.0.27-11
#rpm -qa | grep krb
krbafs-1.1.1-11
krbafs-utils-1.1.1-11
krbafs-devel-1.1.1-11
krb5-libs-1.2.7-19
krb5-workstation-1.2.7-19
pam_krb5-1.70-1
krb5-devel-1.2.7-19
krb5-server-1.2.7-19
Edit /etc/samba/smb.conf
[global]
realm = KERBEROS.REALM
security = ADS
encrypt passwords = yes
password server = kerberos.server
Edit /etc/krb5.conf
[libdefaults]
default_realm = KERBEROS.REALM
[realms]
KERBEROS.REALM = {
kdc = kerberos.server - should :88 be appended to this line?
}
[domain_realms]
.kerberos.server=KERBEROS.REALM
#net ads join -U administrator
password:
Joined 'SERVERNAME' to realm 'DOMAIN'
#kinit [EMAIL PROTECTED]
password:
#smbclient //servername/share -k
smb // >
Up to here everything is OK and the server account can be seen in AD.
#ls -l /lib | grep libnss_winbind
libnss_winbind.so -> libnss_winbind.so.2
Edit /etc/nsswitch.conf
passwd: files winbind
shadow: files
group: files winbind
#ldconfig -v | grep winbind
libnss_winbind.so -> libnss_winbind.so.2
Edit /etc/samba/smb.conf
[global]
realm = KERBEROS.REALM
security = ADS
encrypt passwords = yes
password server = kerberos.server
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
#testparm
Load smb config file from /etc/samba/smb.conf
Loaded services file OK
'winbind separator = +' might cause problems with group membership
server role: ROLE_DOMAIN_MEMBER
#net rpc join -S PDC -U administrator
password:
Joined domain DOMAIN
#winbindd -B
# wbinfo -u
Error looking up domain
#wbinfo -g
Error looking up domain
# wbinfo -t
Checking the trust secret vi RPC calls failed
Error code was (0x0)
Could not check secret
#wbinfo -p
Ping to winbindd failed on fd-1
Could not pin winbindd!
# ps -ae | grep winbindd
PID winbind
PID winbind
This is the output from /var/log/samba/log.winbind
[2004/02/13 13:35:47, 1] nsswitch/winbindd.c:main(843)
winbindd version 3.0.2 started.
Copyright The Samba Team 2000-2004
[2004/02/13 13:35:47, 0] libsmb/cliconnect.c:cli_session_setup_spnego(724)
Kinit failed: Preauthentication failed
[2004/02/13 13:35:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain INFORMA-UK uk.informa.com S-1-5-21-1547161642-839522115-68200333
0
[2004/02/13 13:35:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
[2004/02/13 13:35:47, 0] libads/kerberos.c:ads_kinit_password(133)
kerberos_kinit_password HOST/[EMAIL PROTECTED] failed: Preauthenticati
on failed
[2004/02/13 13:35:47, 1] nsswitch/winbindd_ads.c:ads_cached_connection(65)
ads_connect for domain INFORMA-UK failed: Preauthentication failed
[2004/02/13 13:35:47, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for
requested realm)
[2004/02/13 13:35:47, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516)
spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm
[2004/02/13 13:35:47, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain INFORMA informa.com S-1-5-21-872949640-2421699758-2984176268
[2004/02/13 13:35:48, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain DEFAULT S-1-5-21-2136767079-1738235858-945835055
[2004/02/13 13:35:49, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain AGRA_UK S-1-5-21-591026277-1029915393-619646970
[2004/02/13 13:35:50, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain MRC_UK S-1-5-21-1670978810-1498184290-1845911597
[2004/02/13 13:35:50, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain LLP S-1-5-21-2047764551-82006601-1874078741
[2004/02/13 13:35:51, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain CODA S-1-5-21-1310659078-2099469345-1236795852
[2004/02/13 13:35:52, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain INFORMA_ASIA S-1-5-21-1008349960-465597267-314601362
[2004/02/13 13:35:53, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain TEST.COM S-0-0
[2004/02/13 13:35:53, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested
realm)
[2004/02/13 13:35:53, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516)
spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm
[2004/02/13 13:35:53, 1] nsswitch/winbindd_util.c:add_trusted_domain(166)
Added domain AGRA agra.informa.com S-1-5-21-1801674531-2139871995-1177238915
[2004/02/13 13:35:53, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276)
krb5_get_credentials failed for [EMAIL PROTECTED] (Cannot find KDC for requested
realm)
[2004/02/13 13:35:53, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(516)
spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm
Again thanks for any help with this.
Simon
********************************************************************************
The information contained in this email message may be confidential. If you are not
the intended recipient, any use, interference with, disclosure or copying of this
material is unauthorised and prohibited. Although this message and any attachments are
believed to be free of viruses, no responsibility is accepted by Informa for any loss
or damage arising in any way from receipt or use thereof. Messages to and from the
company are monitored for operational reasons and in accordance with lawful business
practices.
If you have received this message in error, please notify us by return and delete the
message and any attachments. Further enquiries/returns can be sent to [EMAIL
PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
